Professional Documents
Culture Documents
GESTS483 S2 February 17 2022
GESTS483 S2 February 17 2022
Architecture
3
CREATION OF ENTERPRISE VALUE
Participants need to get access to the COBIT 2019 books.
Step 1. link to the ISACA.ORG pages
Step 2. Register as a visitor (free)
Step 3. download those books at the two following links
1. COBIT 2019 Framework: Introduction & Methodology | Digital | English
https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9cEAC
Notice: This material is based on COBIT 2019 publications from ISACA.ORG and supports COBIT 2019
Foundation Certification.
Content is copyrighted to ISACA.
Illustrations and presentations are copyrighted to Georges Ataya (A&P)
The Context of Enterprise Governance of Information
and Technology
Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
The Context of Enterprise Governance of Information and Technology
Enterprise Governance
Enterprise Governance of IT
Value Creation
Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
The Context of Enterprise Governance of Information and Technology
Enterprise Governance
Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
The Context of Enterprise Governance of Information and Technology
Enterprise Governance
Business/Infosec Alignment
Value Creation
Source: De Haes, Steven; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value,
Featuring COBIT 5, 2nd ed., Springer International Publishing, Switzerland, 2015, https://www.springer.com/us/book/9783319145464
What is digital transformation?
Digital transformation happens when
companies adopt digital technologies to
create innovation, improve business
processes, and offer better value to their
customers.
True digital transformation takes place across
two distinct dimensions:
1. Integration of digital
technology. Technology creates
fundamental changes in business models.
2. A cultural shift. Businesses must learn to
push boundaries, experiment, and accept
the associated failures. This potentially
involves abandoning well-established
processes for new ones — ones that are
often still being defined.
United Airlines meets
customers wherever they are
https://www.youtube.com/watch?v=4Y31MD36xF4
Resource optimization
Appropriate capabilities are in
place to execute the strategic
plan and sufficient, appropriate
and effective resources are
provided
Ensures that:
• Stakeholder needs, conditions and options
are evaluated to determine balanced,
agreed-on enterprise objectives.
• Direction is set through prioritization and
decision making.
• Performance and compliance are
monitored against agreed-on direction and
objectives.
Management
Enterprise Goals
Alignment Goals
Enterprise Goals
Alignment Goals
Enterprise Goals
Alignment Goals
Enterprise Goals
Risk Optimisation
Digital Transformation,
Security,
Regulatory requirements,
Stakeholder Drivers and Needs System reliability,
Cost reduction, etc.
Cascade to
IT Alignment Goals
I&T compliance
Managed I&T-related risks
Delivery of I&T services
Cascade to
Expertise for innovation, etc.
IT Governance and Management Objectives
Benefits
Realization
Cascade to
Cascade to
Managed Innovation
IT Governance and Management Objectives Managed Projects/Programs
Managed IT Change
Risk
Optimization
Cascade to
Enterprise Goals
Ensure ability to:
- Carry out risk assessments
- Strengthen weak areas
Cascade to
- Modify risky treatments and practices
- Respond to, and manage incidents
IT Alignment Goals
Cascade to
Managed Risk
IT Governance and Management Objectives Managed Security
Managed Security Services
Resources
Optimization
Cascade to
Cascade to
Ensured Resource Optimization
IT Governance and Management Objectives Managed Portfolio
Managed Budget & Costs
Helps to ensure the Helps to ensure the Helps to ensure that a Helps to ensure that an IT Helps to ensure
identification and enterprise is compliant business partner’s vendor’s operations are compliance activities are
management of all IT- with applicable rules and operations are secure, secure, reliable and conducted in manners
related risk regulations and has the reliable and compliant compliant with applicable that delivers value to the
right governance system with applicable rules and rules and regulations to organisation
in place to manage and regulations ensure the identification
sustain compliance and management of all
IT-related risk
Governance objectives
are grouped in the EDM02 •Ensured benefits delivery
BAI03
Build, Acquire and • Managed solutions identification and build
operational delivery
and support of I&T
services, including
security.
COBIT Core Model: Governance and
Management Objectives and Purpose
MEA01 • Managed performance and conformance
monitoring
Addresses performance
monitoring and
conformance of I&T with
internal
performance targets,
internal control
objectives and external
requirements.
COBIT Core Model: Governance and
Management Objectives and Purpose
End of session 2
Regular audit findings or other assessment reports about poor IT performance or reported IT quality
or service problems —Poor assessments may indicate that service levels are not in place or not
functioning well, or that the business is not adequately involved in IT decision making.
6
Insufficient IT resources, staff with inadequate skills and staff burnout/dissatisfaction—These are
significant IT human resource management issues that require effective oversight and good
governance to address people management and skills development effectively. They may also indicate
9 underlying weaknesses in IT-demand management and internal service-delivery practices (among
other latent issues).
Multiple and complex IT assurance efforts—This scenario could indicate poor coordination between
the business and IT regarding the need for, and execution of, IT-related assurance reviews. A low level
of business trust in IT may prompt the business to initiate its own reviews. Alternatively, it could
11 suggest a lack of business accountability for, or involvement in, IT-assurance reviews, if the business is
simply not aware when reviews take place.
Reluctance of board members, executives or senior management to engage with IT, or lack of
committed business sponsors for IT—These pain points often indicate a lack of business
understanding and insight into IT, insufficient IT visibility at appropriate levels, or ineffective
12 management structures. The pain points may also indicate issues with board mandates, which are
often caused by poor communication between the business and IT, and/or misunderstanding of the
business and IT by the business sponsors for I&T.
High level of end-user computing, creating (among other issues) a lack of oversight and quality
control over the applications that are being developed and put in operation—A high level of end-
user computing may strain communication between IT and the business, and could entail loose
18 controls around installation of business applications. It may result from suboptimal portfolio and
project formulation, and/or inadequate proposal and approval mechanisms. EGIT can help establish a
common view on the role and value of IT to optimize security and functionality of end-user devices.
Copyright © 2019 Ataya & Partners. All rights reserved.
What value creation in those Pain Points?
Business departments implementing their own information solutions with little or no involvement
of the enterprise IT department —This pain point may relate to the end-user computing issue and the
optimal use of data and information; however, it primarily results when the business attempts to
19 implement more robust solutions and services in the normal course of pursuing business advantage.
Lack of communication or trust between business and IT can contribute to unsanctioned, independent
development, or exacerbate its symptoms (in the form of service issues, etc.).
Ignorance of and/or noncompliance with security and privacy regulations—Mitigating new security
and privacy threats should be on the agenda of every enterprise, not only for compliance reasons but
also to preserve the value the enterprise generates. Ignorance and/or noncompliance with regulations
20 can seriously impair the enterprise and should be managed through proper EGIT.
Inability to exploit new technologies or innovate using I&T—A common business complaint casts IT in
a supporting role, whereas the enterprise needs IT to innovate and provide a competitive edge. Such
complaints may point to a lack of true bidirectional alignment between business and IT, which could
21 reflect communication issues or a need to increase business involvement in IT decision making.
Alternatively, the business may involve IT too late in its strategic planning or business initiatives. The
issue often arises most emphatically when economic conditions require rapid enterprise responses,
such as the introduction of new products or services. Copyright © 2019 Ataya & Partners. All rights reserved.